CN109076075A - Access corporate resources - Google Patents
Access corporate resources Download PDFInfo
- Publication number
- CN109076075A CN109076075A CN201780024479.4A CN201780024479A CN109076075A CN 109076075 A CN109076075 A CN 109076075A CN 201780024479 A CN201780024479 A CN 201780024479A CN 109076075 A CN109076075 A CN 109076075A
- Authority
- CN
- China
- Prior art keywords
- response
- application
- mobile device
- certificate
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
It can be used for accessing the system, method and software of corporate resources.In some respects, the certificate for being used to access the corporate resources at one or more ISPs (SP) from EMM server is received at enterprise mobility management (EMM) client on the mobile apparatus.Application in certification request slave mobile device is sent to Identity Provider.In response to certification request, authentication challenge is received from Identity Provider.Authentication challenge includes certificate request.In response to authentication challenge, authentication response is sent from application.Authentication response includes certificate.Authorization token is received from Identity Provider.Whether authorization token instruction Identity Provider demonstrates certificate and mobile device.
Description
Prioity claim
This application claims the priority for the 15/060th, No. 466 U.S. Patent application that on March 3rd, 2016 submits, wholes
Content is incorporated herein by reference.
Background technique
This disclosure relates to access corporate resources.In some cases, it is attempting to be taken by network from ISP
When business, the application in mobile device can send the request of access resource to ISP.If using this is authorized to
Resource, then ISP can permit the access.
Detailed description of the invention
Fig. 1 is the schematic diagram for showing the example communication system of access corporate resources.
Fig. 2 is the flow chart for showing the instantiation procedure for accessing corporate resources.
Fig. 3 is the block diagram for showing example mobile device.
Fig. 4 is the flow chart for showing the exemplary method for accessing corporate resources.
Identical appended drawing reference and title indicate identical element in each attached drawing.
Specific embodiment
In some cases, the access to the resource of ISP can be limited.For example, can by login process come
Realize the limitation to resource.During login process, the certification request of the user can be prompted username and password.If verifying
Username and password, then can permit user to access the resource.
In some cases, user can be for each application execution login process of request limited resources.It manages multiple
Username and password may have a negative impact to user experience.In some cases, single-sign-on (SSO) mistake can be used
Journey.During SSO process, user can be to the multiple using one group of use of request limited resources associated with public entities
Name in an account book and password.For example, one group of username and password can be used from multiple enterprise's application access associated with enterprise in user
Resource in one enterprise.During SSO, when an attempt in enterprise's application accesses corporate resources, it can prompt
User inputs identical username and password.In some cases, user name or password can store the file system in equipment
In, for example, cache or cookie, therefore can be retrieved in the case where no further user inputs.But file system
System may not be a part of security context, therefore be easy the attack by malicious application.
In some cases, zero login (ZSO) process can be used for further improving user experience.It, can be with during ZSO
User is authenticated in the case where not inputting user name or password.In some cases, during ZSO process, work as movement
When application in equipment requests corporate resources from ISP (SP), SP can redirect requests to Identity Provider
(IDP).IDP from application request certificate and can send the certificate to SP and be verified.In some cases, safety can be used
Key holder's theme in assertion markup language (SAML) statement confirms field to send certificate.SP can verify certificate and phase
Answer the access of ground approved applications.In these cases, SP can be customized to verify the certificate sent from IDP.For example, IDP can be with
Software Development Kit (SDK) is provided to SP, and SDK can be used to realize credentials verification process in SP.Alternatively or separately
Other places, application packages can be used for verifying certificate.In these cases, extension of the application packages by certification authentication can be used in IDP
It is sent to SP, executes certification authentication so that extension can be used in SP.But it is multiple using the realization that these methods may will increase SP
Polygamy.In some cases, SP can provide service for different enterprises, and each enterprise uses different IDP.These or its
In the case of him, SP can realize different customizations for the certification authentication of these differences IDP.
In some cases, the enterprise mobility of the mobile device of management specific enterprise can be utilized during facility registration
(EMM) server is managed to provide the certificate of the resource of (provision) for accessing specific enterprise.Certificate can by with it is specific
The associated IDP signature of enterprise, and the certificate after signature can be sent to mobile device by EMM server.Certificate can be deposited
In the security context of storage on the mobile apparatus, and by being authorized to resource associated with specific enterprise in mobile device
Using accessing.The application of request corporate resources can send IDP for certificate in the Handshake Protocol between application and IDP.
IDP can verify certificate and mobile device.Fig. 1-4 and associated description provide the additional detail of these realizations.
This method can provide one or more advantages.For example, SP can determine to avoid the certification authentication for different IDP
System, therefore realization complexity can be reduced.In addition, equipment or user can also be verified other than the application of request resource, because
Security levels can be improved in this.Furthermore, it is possible to manage certificate in the security context for providing Additional Protection.
Fig. 1 is the schematic diagram for showing the example communication system 100 for providing the access to corporate resources.Example communication system
100 include mobile device 102, by wireless communication network 110 and ISP (SP) 130, enterprise mobility management
(EMM) server 140 and Identity Provider (IDP) 150 are communicatively coupled.
SP 130 indicate can be configured as provide corporate resources application, using collection, software, software module, hardware or
A combination thereof.Corporate resources may include file system, website, portal or be to provide enterprises service and any other defined money
Source.In some cases, it can permit the application access corporate resources being verified.Fig. 2-4 and associated description provide
These additional details realized.
IDP 150, which indicates can be configured as, identifies the application of entity, using collection, software, software module, hardware or its group
It closes.In some cases, IDP 150 is referred to as Identity claims supplier.IDP 150 can access enterprise's money with checking request
The application in source simultaneously states that the application is certified to SP 130.In some cases, IDP 150 can also verify associated with requesting
User or mobile device.Fig. 2-4 and associated description provide the additional detail of these realizations.
EMM server 140 indicates to can be configured as the application of management enterprise and the application of equipment, using collection, software, soft
Part module, hardware or combinations thereof.For example, the licensing of enterprise's application can be installed, update and be managed to EMM server 140.One
In a little situations, EMM server 140 may include the application shop for enterprise's application.In some cases, EMM server 140
It may include the database of the licensing status of the user and mobile device for accessible corporate resources.
Example communication system 100 includes mobile device 102.As shown in Figure 1, mobile device include EMM client 122, it is clear
Device 124, enterprise are look at using 126, frame 132 and cipher key store 134.
EMM client 122 indicate can be configured as management mobile device 102 on enterprises service application, using collect,
Software, software module, hardware or combinations thereof.In some cases, application programming interfaces (API) can be used in EMM client 122
It configures enterprise and applies 126.
In some cases, EMM client 122 can be communicated with EMM server 140 to manage in mobile device 102
Corporate resources access.In some cases, certificate can be used for the application of certification request access corporate resources.In some feelings
Under condition, certificate can be obtained during the registration of mobile device 102.
In one example, during registration, privately owned-public keys pair is can be generated in EMM client 122.EMM client
122 can send Certificate Signature Request to EMM server 140.Certificate Signature Request includes the public keys generated.EMM service
Certificate Signature Request can be forwarded to IDP 150 by device 140.In some cases, EMM server 140 can also be with IDP 150
Certificate Signature Request send additional information together, for example, information associated with mobile device 102, be used for mobile device 102
The user identifier of user, the associated enterprise identifier of enterprise, the use of mobile device 102 that are managed with EMM server 140
The right of the corporate resources of family access mobile device 102, or combinations thereof.IDP 150 can be used to be connect in Certificate Signature Request
The public keys of receipts is the preparation certificate of mobile device 102, such as is signed using the private cipher key pair certificate of IDP150, and will
Certificate after signature is sent to EMM server 140.EMM server 140 can forward the certificate to EMM client 122.
Frame 132 indicate can be configured as management mobile device 102 on operating environment application, using collection, software,
Software module, hardware or combinations thereof.In some cases, frame 132 may include the operating system of mobile device 102.One
In a little situations, frame 132 manages the access to cipher key store.In these or other cases, EMM client 122, browser 124,
Enterprise can access the certificate in cipher key store 134 using 126 by frame 132.
Cipher key store 134 indicate can be configured as storage for access corporate resources certificate application, using collection, it is soft
Part, software module, hardware or combinations thereof.In some cases, EMM client 122 can will be received from EMM server 140
Certificate after signature is stored in cipher key store 134.In some cases, cipher key store 134 can be a part of trust region (TZ).TZ
It is to execute safely, is configured as operating environment being isolated with the generation operating system of mobile device.TZ may include one group can
For executing the security extension of safety operation.Safety operation can be in TZ with the execution of higher security level.It is executed in TZ
The example of safety operation may include generating certificate, request certificate, more new authentication etc..In some cases, at using hardware
The safety for managing device to realize TZ to provide additional.
Browser 124 indicate can be configured as access website application, using collection, software, software module, hardware or its
Combination.In some cases, browser 124 meets 2.0 standard of security assertion markup language (SAML).In some cases, clear
The accessible enterprise web site of device 124 is look to obtain corporate resources.
Enterprise using 126 indicate can be executed SP at enterprises service and access corporate resources using, using collect, it is soft
Part, software module or combinations thereof.Enterprise is using the e-mail applications that 126 example includes for enterprise account, enterprise document
Sharing application, enterprise development tool and third party software service (SaaS) SaaS application.
In some cases, can only for be authorized to corporate resources application (for example, browser 124 and enterprise
Using 126) the previously described certificate of regulation.Therefore, it is asked if it is the application other than browser 124 and enterprise apply 126
Book is solved, then the request may be rejected.In some cases, EMM client 122 can be used white list come regulation authorization money
Source.White list may include the list of application for being authorized to request certificate.In some cases, EMM client 122 can be used black
List carrys out regulation authorization resources.Blacklist may include the list of application of unauthorized request certificate.In some cases, white list
Or blacklist can be managed by frame 132.Frame 132 can check white list or blacklist before license request certificate.?
Under some cases, container (such as KNOX working space container or ANDROID work management configuration file container) can be used
Provide the application being authorized to.
In some cases, it can be determined by IDP 150, EMM server 140, SP 130 or combinations thereof for certificate
Defined application.EMM client 122 can receive regulation from EMM server 140 and instruct and regulation correspondingly be arranged
(provision)。
In some cases, enterprise's money is accessed from SP 130 using (for example, browser 124 or enterprise apply 126) request
Source.Using can to IDP 150 send certification request.IDP 150 can send authentication challenge to application.Using packet can be sent
Include the authentication response of the certificate for accessing corporate resources.IDP 150 can carry out certificate authenticating and sending authorization token
To application.Using authorization token can be transmitted to SP 130 to access corporate resources.Fig. 2-4 and associated description provide
These additional details realized.
As shown in Figure 1, example communication system includes cordless communication network 110.Cordless communication network 110 may include one
Or multiple radio access networks (RAN), core network (CN) and external network.RAN may include one or more radio
Access technology.In some implementations, radio access technologies can be global system for mobile communications (GSM), Interim Standard 95
(IS-95), Universal Mobile Telecommunications System (UMTS), CDMA2000 (CDMA), evolved universal mobile communication system (UMTS),
Long term evolution (LTE) or LTE are advanced.In some cases, core network can be evolution block core (EPC).
RAN is a part for realizing the radio telecommunications system of radio access technologies, such as UMTS, CDMA2000,3GPP
LTE and 3GPP LTE-A.In numerous applications, RAN includes at least one base station.Base station can be radio base station, can be with
All or at least some radio-related functions in the fixed part of control system.It base station can be in its overlay area or needle
It is communicated to radio interface is provided in the cell of mobile device 102.Base station can be distributed in entire cellular network, to mention
For extensive overlay area.Base station directly with one or more mobile devices, other base stations and one or more core network section
Point communication.Why not base station in office can operate in Tong wireless communication technique.Example wireless technology includes global mobile communication
System (GSM), Universal Mobile Telecommunications System (UMTS), 3GPP long term evolution (LTE), advanced LTE (LTE-A), WiMAX are logical
Letter technology etc..Example wireless wide-band communication system includes 802.11 WLAN of IEEE, IEEE 802.16WiMAX network
Deng.
General description is gone to, mobile device (for example, mobile device 102) can be referred to as mobile electronic device, Yong Hushe
Standby, movement station, subscriber station, portable electronic device, mobile communication equipment, radio modem or wireless terminal.Movement is set
The example of standby (for example, mobile device 102) may include cellular phone, personal digital assistant (PDA), smart phone, on knee
Computer, tablet personal computer (PC), pager, portable computer, portable gaming device, wearable electronic or
Person has other mobile communication equipments of the component for transmitting voice or data via cordless communication network.Cordless communication network
It may include in licensed spectrum and exempting from the Radio Link at least one of licensed spectrum.Term " mobile device " can also refer to
In generation, can terminate any hardware or component software of the communication session of user.In addition, term " user apparatus ", " UE ", " user's dress
Install standby ", " user agent ", " UA ", " user equipment " and " mobile device " synonymous can use herein.
Fig. 2 is the flow chart for showing the instantiation procedure 200 for accessing corporate resources.Process 200 can be by accessing enterprise
Any kind of system or module of resource are realized.For example, process 200 can by mobile device 102, SP 130, IDP 150 or
A combination thereof realizes, as shown in Figure 1.As shown in Fig. 2, example process 200 also can be used it is additional, less or different
To realize, these operations can in the order shown or be executed in different order for operation.
Instantiation procedure 200 starts from 202, wherein sending the access request to corporate resources.For example, access request can be
Request to enterprises service.In some cases, as shown in Fig. 2, access request can be sent out by the browser 124 in mobile device
It send.Alternatively or in combination, access request can be sent by the enterprise in mobile device using 126.In some cases, such as
It is previously discussed as, access is defined to the entity (for example, browser 124 or enterprise apply 126) for sending access request
The authorization of corporate resources.In some cases, as shown in Fig. 2, access request, which is sent to, provides enterprises service and management enterprise
The SP 130 of resource.For example, access request can be Simple Object Access Protocol (SOAP) message or hypertext transfer protocol
(HTTP) representative state shifts (REST) message.
At 204, in response to access request, certification request is sent from SP 130 to browser 124.Browser 124 will be recognized
Card request is forwarded to IDP 150.In some cases, in response to the certification request of forwarding can be presented in browser 124 with
The associated webpage of IDP 150.
In some cases, browser 124 can initiate certification in the case where no 130 SP of access in advance.For example,
Browser 124 can skip step 202, and as the response to access request, generate certification request rather than from SP 130
Receive certification request.Browser 124 can send IDP 150 for the certification request of generation.For example, certification request can be
HTTP message or HTTP safety (HTTPS) message.
At 206, IDP 150 sends authentication challenge to browser 124.In some cases, authentication challenge includes verification
The request of book.In some cases, Transport Layer Security (TLS) Handshake Protocol can be used and send authentication challenge.
At 208, browser 124 sends authentication response to IDP 150 in response to authentication challenge.In some cases, may be used
To use Transport Layer Security (TLS) Handshake Protocol to send authentication response.
In some cases, authentication response includes certificate.For example, authentication response may include being received by EMM client 122
Certificate, for example, as previously discussed in Fig. 1 and associated description.In some cases, browser 124 can visit
Ask the cipher key store (cipher key store 134 of example as shown in figure 1) in mobile device 102 to retrieve certificate.In some cases, only for quilt
The application of authorization access corporate resources defines certificate.In these or other cases, cipher key store, the operating system of mobile device
Or combinations thereof can determine whether browser 124 is authorized to use certificate.If browser 124 is authorized to, browser can be with
Retrieve certificate.If browser 124 is uncommitted, searcher can be prevented, and browser 124 cannot use certificate next life
At authentication response.
In some cases, authentication response can not include the Service Ticket (such as username and password) of user's input.
In these or other cases, authentication response can be generated and send it to IDP 150 without user's interaction.This method
Accelerate verification process.
In some cases, IDP 150 can send the second certification request to browser 124.Second certification request can be with
Including the request to Service Ticket.In these or other cases, user interface can be exported on the mobile apparatus.User can be with
Voucher, such as username and password or some other second factor credentials are provided.Browser 124 can send the second certification and ring
It answers.Second authentication response may include Service Ticket.The method can provide additional safety in verification process.In some feelings
Under condition, EMM server can specify that whether IDP 150 requests Service Ticket.
In some cases, it includes the certificate in authentication response that certification, which may include verifying,.Verification process can be by IDP
150, EMM server, a combination thereof or it can be used for executing any other entity of authentication calculations to execute.In one example, it demonstrate,proves
Book can be signed with the private cipher key of IDP 150.Therefore, IDP 150 can be to verify certificate by verifying the signature of certificate
No is believable.
In some cases, other than verifying certificate, IDP 150 can also determine whether user or mobile device are awarded
Power access corporate resources.It, can will information associated with certificate during the generation of certificate for example, as discussed previously
(for example, user information, mobile device information or combinations thereof) is sent to IDP 150.Therefore, IDP 150 can check user or
Whether mobile device is authorized to corporate resources.In some cases, user or mobile device may lose authorization.One
In a example, user can be the preceding employee for losing authorization.In another example, mobile device may be no longer authorized to, because
It does not meet the security strategy of enterprise's setting.In these or other cases, IDP 150 can determine user or mobile device not
It is verified.
In some cases, the state of EMM server tracks User and mobile device.For example, EMM client can monitor
Mobile device simultaneously reports any safety problem, such as Malware to EMM server.In some cases, if there is any
Safety problem and user or mobile device are no longer authorized to, then EMM server can update IDP 150.Alternatively or group
Ground is closed, IDP 150 can inquire the state of user or mobile device to EMM server and correspondingly verifying user or movement are set
It is standby.
In some cases, as discussed previously, authentication response may include user credential.In these or other situation
Under, user credential can be verified to determine whether user is authorized to.Verifying can be held by IDP 150, EMM server or combinations thereof
Row.
At 210, authorization token is sent browser 124 by IDP 150.In some cases, in response to browser 124
Certification and send authorization token.In some cases, authorization token may include user name, authentication state or combinations thereof.Recognize
Card state can indicate that certification is success or failure.For example, if any verification process discussed above is (for example, certificate is tested
Card, user or mobile device verifying or user credential verifying) it is unsuccessful, then failure can be set by authentication state.If institute
There is verification process all successful, then can set success for authentication state.
In some cases, authorization token can be signed with the private cipher key of IDP 150.In some cases, warrant
Board can be formatted as security assertion markup language (SAML) statement or OpenID connection ID token.SAML statement can not wrap
Include the key information for certification.For example, SAML statement can not include key holder master when SP does not support SAML to state
Topic confirmation field.
At 212, authorization token is sent SP 130 by browser 124.In some cases, browser 124 can make
Authorization token is sent with post order.SP 130 can determine that browser 124 is based on the authentication state in authorization token
It is no to be authorized to corporate resources.In some cases, as discussed previously, authorization token can be privately owned with IDP 150
Key signature.In these or other cases, the public keys of IDP 150 can be used to verify on authorization token in SP 130
Signature.
At 214, if authentication state instruction authenticates successfully, as shown in Fig. 2, SP 130 can be provided to browser
124 access is to access corporate resources.If authentication state indicates that authentification failure, SP 130 can be refused to browser 124
Access.
Fig. 3 is the block diagram for showing example mobile device 300.Shown equipment 300 includes processing unit 302, computer-readable
Storage medium 304 (for example, ROM or flash memory), radio communication subsystem 306, user interface 308 and I/O interface 310.
Processing unit 302 may include one or more processing components (or be known as " processor " or " central processing list
Member " (CPU)), it is configured as executing and herein in conjunction with process, step described in one or more implementations disclosed herein
The relevant instruction of one or more of rapid or movement.In some implementations, processing unit 302 can be configured as generation control
Information (such as measurement report), or response received information (such as control information from network node).Processing unit
302 can be additionally configured to carry out provided for radio resources management (RRM) decision, such as cell selection/reselection information or triggering measurement
Report.Processing unit 302 can also include other accessory parts, such as random access memory (RAM) and read-only memory
(ROM).Computer readable storage medium 304 can store equipment 300 operating system (OS) and for execute the above process,
Various other computer executable instructions, logic or the software program of one or more of step or movement.In some cases
Under, computer readable storage medium 304 can be temporary, nonvolatile or combinations thereof.
Radio communication subsystem 306 can be configured as voice, data and/or the control letter provided for processing unit 302
Breath provides wireless communication.Radio communication subsystem 306 may include for example one or more antenna, receiver, transmitter, local
Oscillator, frequency mixer and Digital Signal Processing (DSP) unit.In some implementations, subsystem 306 can support multi input how defeated
(MIMO) is transmitted out.In some implementations, the receiver in radio communication subsystem 306 can be Advanced receivers or baseline connects
Receive device.Two receivers can be realized with identical, similar or different receiver Processing Algorithm.
User interface 308 may include such as screen or touch screen (for example, liquid crystal display (LCD), active display
(LED), one or more of organic light emitting display (OLED), MEMS (MEMS) display), keyboard or small key
Disk, trace ball, loudspeaker and microphone.I/O interface 310 may include such as universal serial bus (USB) interface.
Fig. 4 is the flow chart for showing the exemplary method 400 for accessing corporate resources.Method 400 can be by accessing enterprise
Any kind of system or module of resource are realized.For example, method 400 can the mobile device 102 as shown in Fig. 1 realize.
As shown in figure 4, additional, less or different operation can be used also to realize in exemplary method 400, these operations can be with
Shown in sequence or be executed in different order.
Method 400 starts from 402, wherein taking at enterprise mobility management (EMM) client on the mobile apparatus from EMM
Business device receives the certificate for accessing corporate resources.In some cases, EMM client can be generated for accessing corporate resources
Key pair, and by sent to EMM server include public keys generated Certificate Signature Request (CSR) come from EMM
Server signed after certificate.At 404, the application in slave mobile device sends certification request to Identity Provider.?
Under some cases, certification sound is sent in response to determining that application is prescribed using the certificate of enterprise associated with corporate resources
It answers.In some cases, request is sent using to the ISP for providing enterprises service for enterprise.In these cases, it rings
Certification request should be received from ISP in access request.Alternatively or additionally, it is provided in response to application access identity
Person and initiate certification request.At 406, in response to certification request, authentication challenge is received from Identity Provider.Authentication challenge includes
Certificate request.At 408, in response to authentication challenge, authentication response is sent from application.Authentication response includes certificate.In some feelings
Under condition, in response to authentication response, the second certification request for being used for Service Ticket is received.In response to the second certification request, the is sent
Two authentication responses.Second authentication response includes and applies associated Service Ticket.At 410, receives and award from Identity Provider
Weigh token.Whether authorization token instruction Identity Provider demonstrates certificate and mobile device.
Some themes described in this specification and operation can be realized in Fundamental Digital Circuit, or soft in computer
It is realized in part, firmware or hardware, including structure disclosed in this specification and its equivalent structures or one or more
Combination.Some themes described in this specification can be implemented as one or more computer programs, i.e. computer program instructions
One or more modules, encode in computer storage medium, for by data processing equipment execute or control data
Manage the operation of device.Computer storage medium can be or may include in computer readable storage devices, computer-readable deposit
Store up substrate, at random or in the combination of serial access memory array or equipment or one or more of which.Though in addition,
Right computer storage medium is not the signal propagated, but computer storage medium can be with manually generated transmitting signal volume
The source or destination of the computer program instructions of code.Computer storage medium is also possible to or is included in one or more individual
In physical assemblies or medium (for example, multiple CD, disk or other storage equipment).
Term " data processing equipment " includes all types of devices, equipment and the machine for handling data, including example
Such as programmable processor, computer, system on chip or above-mentioned multiple or combination.The apparatus may include special logic electricity
Road, such as FPGA (field programmable gate array) or ASIC (specific integrated circuit).In addition to hardware, which can also wrap
The code that performing environment is created for the computer program discussed is included, for example, constituting processor firmware, protocol stack, data depositary management
The combined code of reason system, operating system, cross-platform runtime environment, virtual machine or in which one or more.
Computer program (also referred to as program, software, software application, script or code) can use any type of programming language
Speech is write, including compiling or interpretative code, statement or procedural language.Computer program can with but do not need to correspond in file system
File.Program can store in a part of file for saving other programs or data (for example, being stored in markup language text
Shelves in one or more scripts), be exclusively used in the single file of the program or multiple coordination files (for example, storage one or
The file of a part of multiple modules, subprogram or code) in.Can with deploying computer programs on a computer or
On a website or it is distributed on multiple websites and is executed on the multiple computers for passing through interconnection of telecommunication network.
Some processes described in this specification and logic flow can be by one of the one or more computer programs of execution
Or multiple programmable processors execute, to execute movement by being operated to input data and generating output.It process and patrols
Collecting stream can also be executed by dedicated logic circuit, and device also can be implemented as dedicated logic circuit, such as FPGA (scene can
Program gate array) or ASIC (specific integrated circuit).
As an example, the processor for being adapted for carrying out computer program includes general and special microprocessor and any
The processor of the digital computer of type.Refer in general, processor will be received from read-only memory, random access memory or both
Order and data.Computer may include one or more storages of the processor and store instruction and data according to instruction execution movement
Device equipment.Computer can also include or be operatively coupled to set from one or more massive stores for storing data
Standby (such as disk, magneto-optic disk or CD) receives data or transmits data, or both to it and have both.But computer is not required to
Want such equipment.Equipment suitable for storing computer program instructions and data includes the non-volatile memories of form of ownership
Device, medium and memory devices, including such as semiconductor memory devices (for example, EPROM, EEPROM, flash memory device), magnetic
Disk (for example, internal hard drive, moveable magnetic disc etc.), magneto-optic disk, CD ROM and DVD-ROM disk.In some cases, processor and
Memory by supplemented or can be incorporated in dedicated logic circuit.
In order to provide the interaction with user, can have for showing the display equipment of information (for example, monitoring to user
Device or other kinds of display equipment) and user can by its to computer provide input keyboard and indicating equipment (example
Such as, mouse, trace ball, tablet computer, touch sensitive screen or other kinds of indicating equipment) computer on realize operation.Other
The equipment of type can also be used for providing the interaction with user;For example, the feedback for being supplied to user may be any type of feeling
Feedback, such as visual feedback, audio feedback or touch feedback;And input from the user can be received in any form, is wrapped
Include acoustics, voice or tactile input.In addition, computer can send document by the equipment used to user and use from user
Equipment receive document interacted with user;For example, by response to being sent to use from the received request of web browser by webpage
Web browser on the client device at family.
Computer system may include it is single calculate equipment, or nearby or with being generally remote from each other operating each other and
Usually pass through multiple computers of communication network interaction.The example of communication network includes local area network (" LAN ") and wide area network
(" WAN "), internet (for example, internet), the network including satellite link and peer-to-peer network are (for example, self-organizing peer-to-peer network
Network).The relationship of client and server can be by means of running and each other with client-server on the respective computers
The computer program of relationship and generate.
Although this specification include many details, these details be not necessarily to be construed as to can claimed range limit
System, but the description of distinctive feature as a specific example.It can also combine in the context being implemented separately in this specification
Described in some features.On the contrary, the various features described in the context individually realized can also be in various embodiments
Individually or with any suitable sub-portfolio realize.
Similarly, although depicting operation in the accompanying drawings with particular order, this is not construed as requiring these
Operation particular order shown in executes in order, or executes all operations shown, to realize desired result.One
In a little situations, multitask and parallel processing be may be advantageous.In addition, the separation of the various system components in above-mentioned realization is not answered
It is understood to require this separation in all realizations, and it should be understood that described program assembly and system usually may be used
To be integrated in single software product or be packaged into various software product.
In addition, without departing from the scope of the disclosure, being described and illustrated as discrete or separation in various implementations
Technology, system, subsystem and method can combine with other systems, module, techniques or methods or integrated.It shows or discusses and be
Discussed as coupled or directly coupled or communication sundry item can through some interfaces, equipment or intermediate module (it is either electrical,
Mechanical or other modes) INDIRECT COUPLING or communication.Those skilled in the art can determine that other of change, replacement and change show
Example, and can be changed, replace and change in the case where not departing from spirit and scope disclosed herein.
It has been shown although being discussed in detail above, be described and pointed out the substantially novel of the disclosure applied to various realizations
Feature, but it is to be understood that those skilled in the art can form to shown system and details carry out it is various omit, replacement and
Change, without departing from the intention of the disclosure.In addition, the sequence of method and step is not the sequence occurred in the claims by them
To imply.
Claims (20)
1. a kind of method, comprising:
Providing for accessing enterprise from EMM server is received at enterprise mobility management EMM client on the mobile apparatus
The certificate in source;
Certification request is sent to Identity Provider from the application in the mobile device;
In response to the certification request, authentication challenge is received from the Identity Provider, wherein the authentication challenge includes certificate
Request;
From the application and in response to the authentication challenge, authentication response is sent, wherein the authentication response includes the card
Book;And
Authorization token is received from the Identity Provider, wherein the authorization token indicates whether the Identity Provider demonstrates
The certificate and the mobile device.
2. according to the method described in claim 1, further include:
Before sending the authentication response, it is determined whether define described using institute associated with the corporate resources
State the certificate of enterprise;And
The authentication response is wherein sent to be in response to define the application in determination.
3. according to the method described in claim 1, further include:
Access is sent to the ISP for providing enterprises service for the enterprise from the application in the mobile device to ask
It asks;And
In response to the access request, the certification request is received.
4. according to the method described in claim 1, wherein in response to the Identity Provider as described in the application access, described in initiation
Certification request.
5. according to the method described in claim 1, wherein transmitting the certification according to Transport Layer Security (TLS) Handshake Protocol
It addresses inquires to and the authentication response.
6. according to the method described in claim 1, wherein the certificate is stored in the key of a part as trusted domain (TZ)
In library.
7. according to the method described in claim 1, further include:
In response to the authentication response, the second certification request for being directed to Service Ticket is received;And
The second authentication response is sent in response to second certification request, wherein second authentication response includes and the application
Associated Service Ticket.
8. according to the method described in claim 1, wherein the application includes at least one of enterprise's application or browser.
9. a kind of mobile device, comprising:
Memory;And
At least one hardware processor is communicatively coupled and is configured as with the memory:
Providing for accessing enterprise from EMM server is received at enterprise mobility management EMM client on the mobile apparatus
The certificate in source;
Certification request is sent to Identity Provider from the application in the mobile device;
In response to the certification request, authentication challenge is received from the Identity Provider, wherein the authentication challenge includes certificate
Request;
From the application and in response to the authentication challenge, authentication response is sent, wherein the authentication response includes the card
Book;And
Authorization token is received from the Identity Provider, wherein the authorization token indicates whether the Identity Provider demonstrates
The certificate and the mobile device.
10. mobile device according to claim 9, wherein at least one described hardware processor is also configured to
Before sending the authentication response, it is determined whether define described using institute associated with the corporate resources
State the certificate of enterprise;And
The authentication response is wherein sent to be in response to define the application in determination.
11. mobile device according to claim 9, wherein at least one described hardware processor is also configured to
Access is sent to the ISP for providing enterprises service for the enterprise from the application in the mobile device to ask
It asks;And
In response to the access request, the certification request is received.
12. mobile device according to claim 9, wherein in response to the Identity Provider as described in the application access, hair
Play the certification request.
13. mobile device according to claim 9, wherein according to Transport Layer Security (TLS) Handshake Protocol to transmit
State authentication challenge and the authentication response.
14. mobile device according to claim 9, wherein the certificate is stored in a part as trusted domain (TZ)
In cipher key store.
15. mobile device according to claim 9, wherein at least one described hardware processor is also configured to
In response to the authentication response, the second certification request for being directed to Service Ticket is received;And
The second authentication response is sent in response to second certification request, wherein second authentication response includes and the application
Associated Service Ticket.
16. mobile device according to claim 9, wherein the application includes at least one in enterprise's application or browser
It is a.
17. a kind of non-transitory computer-readable medium comprising instruction, described instruction makes to calculate equipment execution when executed
Including operation below:
Providing for accessing enterprise from EMM server is received at enterprise mobility management EMM client on the mobile apparatus
The certificate in source;
Certification request is sent to Identity Provider from the application in the mobile device;
In response to the certification request, authentication challenge is received from the Identity Provider, wherein the authentication challenge includes certificate
Request;
From the application and in response to the authentication challenge, authentication response is sent, wherein the authentication response includes the card
Book;And
Authorization token is received from the Identity Provider, wherein the authorization token indicates whether the Identity Provider demonstrates
The certificate and the mobile device.
18. non-transitory computer-readable medium according to claim 17, wherein the operation further include:
Before sending the authentication response, it is determined whether define described using institute associated with the corporate resources
State the certificate of enterprise;And
The authentication response is wherein sent to be in response to define the application in determination.
19. non-transitory computer-readable medium according to claim 17, wherein the operation further include:
Access is sent to the ISP for providing enterprises service for the enterprise from the application in the mobile device to ask
It asks;And
In response to the access request, the certification request is received.
20. non-transitory computer-readable medium according to claim 17, wherein in response to by the application access institute
Identity Provider is stated, the certification request is initiated.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/060,466 | 2016-03-03 | ||
US15/060,466 US10305885B2 (en) | 2016-03-03 | 2016-03-03 | Accessing enterprise resources using provisioned certificates |
PCT/US2017/019596 WO2017151464A1 (en) | 2016-03-03 | 2017-02-27 | Accessing enterprise resources |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109076075A true CN109076075A (en) | 2018-12-21 |
CN109076075B CN109076075B (en) | 2021-11-09 |
Family
ID=58264643
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201780024479.4A Active CN109076075B (en) | 2016-03-03 | 2017-02-27 | Accessing enterprise resources |
Country Status (4)
Country | Link |
---|---|
US (1) | US10305885B2 (en) |
EP (1) | EP3408994B1 (en) |
CN (1) | CN109076075B (en) |
WO (1) | WO2017151464A1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111259363A (en) * | 2020-01-19 | 2020-06-09 | 数字广东网络建设有限公司 | Service access information processing method, system, device, equipment and storage medium |
CN112769549A (en) * | 2020-12-29 | 2021-05-07 | 苏宁消费金融有限公司 | Cache-based visual certificate upgrading method and system |
CN112997462A (en) * | 2019-10-15 | 2021-06-18 | 谷歌有限责任公司 | System and method for protecting data |
CN114073040A (en) * | 2019-08-05 | 2022-02-18 | 万事达卡国际公司 | Secure server client interaction |
CN115336231A (en) * | 2020-03-23 | 2022-11-11 | 微软技术许可有限责任公司 | Device provisioning using supplemental cryptographic identities |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6680022B2 (en) * | 2016-03-18 | 2020-04-15 | 株式会社リコー | Information processing apparatus, information processing system, information processing method, and program |
US10516653B2 (en) | 2016-06-29 | 2019-12-24 | Airwatch, Llc | Public key pinning for private networks |
US11165591B2 (en) * | 2016-09-08 | 2021-11-02 | Cable Television Laboratories, Inc. | System and method for a dynamic-PKI for a social certificate authority |
US10587582B2 (en) | 2017-05-15 | 2020-03-10 | Vmware, Inc | Certificate pinning by a tunnel endpoint |
US10447486B2 (en) * | 2017-07-19 | 2019-10-15 | Spyrus, Inc. | Remote attestation of a security module's assurance level |
US10355864B2 (en) | 2017-08-29 | 2019-07-16 | Citrix Systems, Inc. | Policy based authentication |
EP3861795A1 (en) * | 2018-11-15 | 2021-08-11 | Huawei Technologies Co., Ltd. | Automatic digital identification system integrated between consumer devices and backend services |
WO2020124420A1 (en) * | 2018-12-19 | 2020-06-25 | Citrix Systems, Inc. | Scenario based multiple applications on-screen |
US11329990B2 (en) * | 2019-05-17 | 2022-05-10 | Imprivata, Inc. | Delayed and provisional user authentication for medical devices |
CN111416822B (en) * | 2020-03-20 | 2022-10-18 | 数篷科技(深圳)有限公司 | Method for access control, electronic device and storage medium |
US11032270B1 (en) * | 2020-04-07 | 2021-06-08 | Cyberark Software Ltd. | Secure provisioning and validation of access tokens in network environments |
US10965674B1 (en) | 2020-06-08 | 2021-03-30 | Cyberark Software Ltd. | Security protection against threats to network identity providers |
CN114666147A (en) * | 2022-03-31 | 2022-06-24 | 深信服科技股份有限公司 | Identity authentication method, device, equipment and readable storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040003008A1 (en) * | 1995-04-03 | 2004-01-01 | Wasilewski Anthony J. | Method for partially encrypting program data |
US20100064134A1 (en) * | 2005-12-23 | 2010-03-11 | Gross Thomas R | Secure identity management |
CN102047709A (en) * | 2008-06-02 | 2011-05-04 | 微软公司 | Trusted device-specific authentication |
US20130346745A1 (en) * | 2010-12-22 | 2013-12-26 | Mobile Iron, Inc. | Management of certificates for mobile devices |
CN103942684A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
US9191381B1 (en) * | 2011-08-25 | 2015-11-17 | Symantec Corporation | Strong authentication via a federated identity protocol |
CN105187372A (en) * | 2015-06-09 | 2015-12-23 | 深圳市腾讯计算机系统有限公司 | Method for data processing based on mobile application entrance, device and system |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7187772B2 (en) * | 2001-08-31 | 2007-03-06 | Hewlett-Packard Development Company, L.P. | Anonymous transactions based on distributed processing |
DE602005017050D1 (en) | 2004-08-24 | 2009-11-19 | Gemalto Sa | PERSONAL TOKEN AND METHOD FOR CONTROLLED AUTHENTICATION |
US8590027B2 (en) | 2007-02-05 | 2013-11-19 | Red Hat, Inc. | Secure authentication in browser redirection authentication schemes |
WO2009074709A1 (en) | 2007-12-10 | 2009-06-18 | Nokia Corporation | Authentication arrangement |
CN102668501B (en) | 2009-10-15 | 2015-12-09 | 交互数字专利控股公司 | Produce based on the registration of service of subscribing to and voucher for accessing |
US8549300B1 (en) | 2010-02-23 | 2013-10-01 | Juniper Networks, Inc. | Virtual single sign-on for certificate-protected resources |
US9032473B2 (en) | 2010-03-02 | 2015-05-12 | Interdigital Patent Holdings, Inc. | Migration of credentials and/or domains between trusted hardware subscription modules |
US10064974B2 (en) * | 2011-01-31 | 2018-09-04 | Thomas Gerber | Silicic acid condensates having a low degree of cross-linking in a polymer matrix |
CA2835349C (en) * | 2011-02-15 | 2017-02-28 | Research In Motion Limited | System and method for identity management for mobile devices |
WO2012123727A1 (en) * | 2011-03-11 | 2012-09-20 | Callsign, Inc | Personal identity control |
US8955078B2 (en) | 2011-06-30 | 2015-02-10 | Cable Television Laboratories, Inc. | Zero sign-on authentication |
US8850187B2 (en) * | 2012-05-17 | 2014-09-30 | Cable Television Laboratories, Inc. | Subscriber certificate provisioning |
US9690920B2 (en) | 2012-08-30 | 2017-06-27 | International Business Machines Corporation | Secure configuration catalog of trusted identity providers |
US8935808B2 (en) | 2012-12-18 | 2015-01-13 | Bank Of America Corporation | Identity attribute exchange and validation broker |
US9286465B1 (en) * | 2012-12-31 | 2016-03-15 | Emc Corporation | Method and apparatus for federated single sign on using authentication broker |
US8893230B2 (en) | 2013-02-22 | 2014-11-18 | Duo Security, Inc. | System and method for proxying federated authentication protocols |
US20140379584A1 (en) * | 2013-06-25 | 2014-12-25 | FraudFree Finance, LLC | Anti-fraud financial transaction method |
WO2015013412A1 (en) * | 2013-07-23 | 2015-01-29 | Azuki Systems, Inc. | Media client device authentication using hardware root of trust |
FR3021177B1 (en) * | 2014-05-14 | 2016-06-10 | Evidian | METHOD FOR MANAGING USER ACCOUNTS IN A HOSTED APPLICATION |
US9749310B2 (en) * | 2015-03-27 | 2017-08-29 | Intel Corporation | Technologies for authentication and single-sign-on using device security assertions |
US10187374B2 (en) * | 2015-10-29 | 2019-01-22 | Airwatch Llc | Multi-factor authentication for managed applications using single sign-on technology |
-
2016
- 2016-03-03 US US15/060,466 patent/US10305885B2/en active Active
-
2017
- 2017-02-27 EP EP17709890.2A patent/EP3408994B1/en active Active
- 2017-02-27 CN CN201780024479.4A patent/CN109076075B/en active Active
- 2017-02-27 WO PCT/US2017/019596 patent/WO2017151464A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040003008A1 (en) * | 1995-04-03 | 2004-01-01 | Wasilewski Anthony J. | Method for partially encrypting program data |
US20100064134A1 (en) * | 2005-12-23 | 2010-03-11 | Gross Thomas R | Secure identity management |
CN102047709A (en) * | 2008-06-02 | 2011-05-04 | 微软公司 | Trusted device-specific authentication |
US20130346745A1 (en) * | 2010-12-22 | 2013-12-26 | Mobile Iron, Inc. | Management of certificates for mobile devices |
US9191381B1 (en) * | 2011-08-25 | 2015-11-17 | Symantec Corporation | Strong authentication via a federated identity protocol |
CN103942684A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
CN105187372A (en) * | 2015-06-09 | 2015-12-23 | 深圳市腾讯计算机系统有限公司 | Method for data processing based on mobile application entrance, device and system |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114073040A (en) * | 2019-08-05 | 2022-02-18 | 万事达卡国际公司 | Secure server client interaction |
CN114073040B (en) * | 2019-08-05 | 2023-12-05 | 万事达卡国际公司 | Method for secure server client interaction, computing device, and server |
CN112997462A (en) * | 2019-10-15 | 2021-06-18 | 谷歌有限责任公司 | System and method for protecting data |
CN112997462B (en) * | 2019-10-15 | 2022-11-22 | 谷歌有限责任公司 | System and method for protecting data |
CN111259363A (en) * | 2020-01-19 | 2020-06-09 | 数字广东网络建设有限公司 | Service access information processing method, system, device, equipment and storage medium |
CN115336231A (en) * | 2020-03-23 | 2022-11-11 | 微软技术许可有限责任公司 | Device provisioning using supplemental cryptographic identities |
CN112769549A (en) * | 2020-12-29 | 2021-05-07 | 苏宁消费金融有限公司 | Cache-based visual certificate upgrading method and system |
Also Published As
Publication number | Publication date |
---|---|
US10305885B2 (en) | 2019-05-28 |
CN109076075B (en) | 2021-11-09 |
WO2017151464A1 (en) | 2017-09-08 |
EP3408994B1 (en) | 2019-10-30 |
US20170257360A1 (en) | 2017-09-07 |
EP3408994A1 (en) | 2018-12-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109076075A (en) | Access corporate resources | |
US20200304492A1 (en) | Authentication of a Client Device Based on Entropy from a Server or Other Device | |
US9973489B2 (en) | Providing virtualized private network tunnels | |
TWI510108B (en) | Method and apparatus for trusted federated identity management and data access authorization | |
US8914845B2 (en) | Providing virtualized private network tunnels | |
EP3364629B1 (en) | Providing virtualized private network tunnels | |
EP3162103B1 (en) | Enterprise authentication via third party authentication support | |
CN107425980B (en) | Communication between workspaces | |
EP3337125B1 (en) | Authenticating for an enterprise service | |
EP3163490B1 (en) | Providing security assurance information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |